Red Hat Bugzilla – Bug 146181
mod_auth_kerb keytab type documentation
Last modified: 2008-02-05 00:56:45 EST
Description of problem:
The documentation for mod_auth_kerb states that the keytab needs to be
of type HTTP/<fqdn_of_www_server>@REALM. If another keytab service
type is required, then you must use KrbServiceName "service", where
"service" would most likely be host/<fqdn_of_www_server>@REALM.
The documentation is wrong. Keytabs of service type host/ are
accepted by default.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Get a keytab for the system, of 'normal' type host/
2.In .htaccess put the proper location to krb5keytab to point to this
file, also make sure krbauthrealm is properly set and krbverifykdc is
set to off.
3.Put in the AuthName and require user@REALM entries in .htaccess
The user is allowed in with their kerberos credentials
Since the keytab is of type host/, and not HTTP/ as per the
documentation, mod_auth_kerb shouldn't work, but it does.
Many universities(MIT for example) have a web site set up to allow you
to request a keytab. Their staff has access to automated scripts,
etc.., that let them create keytabs of type host/, not HTTP/. Had the
documentation stated correctly that keytabs of type host/ work out of
the box, much time would have been saved.
By "documentation" are you referring to the wording in the example
configuration file, /etc/httpd/conf.d/auth_kerb.conf, or the README?
Woops, sorry about ambiguity.
Documentation refers to
1) The README, lines 92 and 139.
2) The example /etc/httpd/conf.d/auth_kerb.conf, lines 12-13.
I looked at every piece of documentation from
http://modauthkerb.sourceforge.net/, and it agrees and says the same
Also, the code, at (unpatched 5.0-rc6 source) line 236 in
mod_auth_kerb.c does a specific '... ->krb_service_name = "HTTP"'
Sorry, I'm still not clear what you're reporting. Are you saying that
the documentation is wrong and should be changed to match the
behaviour of the code? Or that the code is wrong and should be
changed to match the documentation?
I'm not sure precisely what is confusing about the README; it merely
talks about the default service name. Likewise the line of code you
reference merely sets the default service name, allowing the
configuration to override it if desired.
Sorry, confusion definitely happens when I've yet to have coffee.
The documentation is wrong. The documentation says HTTP/ _only_ works
by default. I have keytab in place of type host/, and this works. I
did not specify type host/ in the configuration, as the documentation
says I needed to.
I listed the source code only to show that even the source code says
type HTTP/ is the default, and that type host/ is nowhere to be seen.
This was only done to point out that I have no idea _where_ the code
is allowing type host/ by default.
Documentation is sort of right... While the mod_auth_kerb system WILL work with host/ instead of
HTTP/, it may create problems with certain clients. The "standard" is HTTP, so while some browsers will
go in fine with a host tab only, the lack of HTTP may create problems with others. The software
SHOULD be modified to match the documentation, although that would be removing a useful if
"incorrect" feature. Changing the documentation will potentially cause problems elsewhere.
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.
Fedora Core 3 is not maintained anymore.
Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release please reopen this bug.